cros-realms auth and LDAP
Sam Hartman
hartmans at MIT.EDU
Thu Apr 8 13:09:41 EDT 2004
First, keep in mind that in the Kerberos world (but not the ACtive
Directory world), a cross-realm key says very little about trust.
If I share a key between company A and company B, then I'm trusting
that company B's KDC will accurately represent the identities of
company B users. Or put another way, the company B KDC must be
trusted at least as much as any user claiming to be from company B.
That is a weak trust requirement.
The real world example you cite is problematic, because while Kerberos
and LDAP are up to the task, Solaris isn't quite and pam_krb5
definitely is not.
Most Unix systems expect to find all their LDAP account information in
one place and to have a single unified namespace for accounts. If
your uids and usernames are unique across all companies, you can make
the Solaris box happy with referals.
But most instances of pam_krb5 assume they can convert a login name to
a Kerberos principal simply by appending a default realm. This is not
inherent; you simply need to decide what behavior you want and write
code to accomplish it.
--Sam
More information about the Kerberos
mailing list